Merge pull request #10 from RUB-NDS/development-3.0

Development 3.0
RUB-NDS · Mar 19, 2018 · 6223760 · 6223760
2 parents bf365c5 + 02ae955
commit 6223760
Show file tree

Hide file tree

Showing 21 changed files with 2,447 additions and 250 deletions.
diff --git a/BappDescription.html b/BappDescription.html
@@ -0,0 +1,33 @@
+<p>This extension processes and recognizes single sign-on protocols.</p>
+
+<p><strong>Detecting</strong></p>
+<p>Supported Protocols:</p>
+<ul>
+    <li>SAML</li>
+    <li>OpenID</li>
+    <li>OAuth</li>
+    <li>BrowserId</li>
+    <li>OpenID Connect</li>
+    <li>Facebook Connect</li>
+    <li>Microsoft Account</li>
+</ul>
+
+<p><strong>Attacking</strong></p>
+<ul>
+    <li>WS-Attacker integration while intercepting SAML messages</li>
+    <li>DTD-Attacker integration while intercepting SAML messages</li>
+</ul>
+
+<p><strong>Beautifier</strong></p>
+<ul>
+    <li>Syntax Highlight</li>
+    <li>Highlight SSO messages in proxy window and display the protocol type</li>
+    <li>Show all recognized SSO messages in a history tab</li>
+    <li>Context menu for 'Analyze SSO Protocol'</li>
+</ul>
+
+<p><strong>Editors/Viewers</strong></p>
+<ul>
+    <li>View and edit SAML</li>
+    <li>View JSON and JSON Web Token (JWT)</li>
+</ul>
diff --git a/BappManifest.bmf b/BappManifest.bmf
@@ -0,0 +1,12 @@
+Uuid: e1d08d4ab1ea4c17be3431d7d2b20b30
+ExtensionType: 1
+Name: EsPReSSO
+RepoName: espresso
+ScreenVersion: 3.0
+SerialVersion: 3
+MinPlatformVersion: 0
+ProOnly: False
+Author: Tim Guenther, Christian Mainka and Vladislav Mladenov
+ShortDescription: Processes and recognizes single sign-on protocols.
+EntryPoint: target/EsPReSSO-3.0-jar-with-dependencies.jar
+BuildCommand: mvn package -DskipTests=true -Dmaven.javadoc.skip=true -B
diff --git a/README.md b/README.md
@@ -1,7 +1,7 @@
 # EsPReSSO
 [![Build Status](https://travis-ci.org/RUB-NDS/BurpSSOExtension.svg?branch=master)](https://travis-ci.org/RUB-NDS/BurpSSOExtension)
 ![licence](https://img.shields.io/badge/License-GPLv2-brightgreen.svg)
-[![release](https://img.shields.io/badge/Release-v2.0.2-blue.svg)](https://github.com/RUB-NDS/BurpSSOExtension/releases)
+[![release](https://img.shields.io/badge/Release-v3.0-blue.svg)](https://github.com/RUB-NDS/BurpSSOExtension/releases)
 ![status](https://img.shields.io/badge/Status-beta-yellow.svg)
 
 ## Extension for Processing and Recognition of Single Sign-On Protocols
@@ -23,22 +23,18 @@ Supported Protocols:
 - [x] Microsoft Account
 
 ### Attacking
-- [x] WS-Attacker integration while interception SAML messages
+- [x] WS-Attacker integration while intercepting SAML messages
+- [x] DTD-Attacker integration while intercepting SAML messages
 
 ### Beautifier
-- [x] View and edit SAML messages.
-- [x] Show SAML in a history tab
 - [x] Syntax Highlight
+- [x] Highlight SSO messages in proxy window and display the protocol type
+- [x] Show all recognized SSO messages in a history tab
 - [x] Context menu for 'Analyze SSO Protocol'
 
-### Editors
-- [x] SAML
-- [x] JSON
-- [x] JSON Web Token (JWT)
-
-### Basic functions
-- [x] Highlight SSO messages in proxy window, incl. the SSO type.
-- [x] Detect OpenID login possibilities on websites (other protocols will follow).
+### Editors/Viewers
+- [x] View and edit SAML
+- [x] View JSON and JSON Web Token (JWT)
 
 ## Build
 ```bash
@@ -51,21 +47,23 @@ $ mvn clean package
 - Build the JAR file as described above, or download it from [releases](https://github.com/RUB-NDS/BurpSSOExtension/releases).
 - Load the JAR file from the target folder into Burp's Extender. (Start Burp with Java 1.8)
 - SSO messages are highlighted automatically in Burp's HTTP history (Proxy tab).
-- A History, Options and Help can be found in a new tab called 'EsPReSSO'
+- SAML, JSON and JWT editors and viewers attached automatically.
+- A SSO History, Options and Help can be found in a new tab called 'EsPReSSO'.
 
 ## Dependencies and Licences
 
- Dependencie     | Licence                         | Access Date | Link                                          | Copyright (c) Date, Name                                             |
-|-----------------|---------------------------------|-------------|-----------------------------------------------|----------------------------------------------------------------------|
-| RSyntaxTextArea | modified BSD license            | 20.09.2015  | https://github.com/bobbylight/RSyntaxTextArea | 2012, Robert Futrell                                                 |
-| json-simple     | Apache License 2.0              | 20.09.2015  | https://code.google.com/p/json-simple/        | Unkown, Yidong Fang                                                  |
-| WSAttacker      | GNU General Public License v2.0 | 20.09.2015  | https://github.com/RUB-NDS/WS-Attacker/       | 2012, Christain Mainka, Andreas Falkenberg, Jurai Somorovski, et al. |
+ Dependencie     | Licence                         | Access Date | Link                                                              | Copyright (c) Date, Name                                             |
+|-----------------|---------------------------------|-------------|-------------------------------------------------------------------|----------------------------------------------------------------------|
+| RSyntaxTextArea | modified BSD license            | 20.09.2015  | https://github.com/bobbylight/RSyntaxTextArea                     | 2012, Robert Futrell                                                 |
+| json-simple     | Apache License 2.0              | 20.09.2015  | https://code.google.com/p/json-simple/                            | Unkown, Yidong Fang                                                  |
+| WSAttacker      | GNU General Public License v2.0 | 20.09.2015  | https://github.com/RUB-NDS/WS-Attacker/                           | 2012, Christain Mainka, Andreas Falkenberg, Jurai Somorovski, et al. |
+| junit           | Eclipse Public License 1.0      | 12.03.2018  | https://github.com/junit-team/junit4                              | Unkown, Erich Gamma and Kent Beck.                                                  |
+| jutf7           | MIT license                     | 12.03.2018  | https://sourceforge.net/projects/jutf7/                           | 2011, Jaap Beetstra                                                  |
+| commons-io      | Apache License 2.0              | 12.03.2018  | https://github.com/apache/commons-io                              | 2012, Scott Sanders, et al.                                          |
 
 ## Tested with:
-- Java 1.8.0._60
-- Burp Suite 1.6.01
-- Arch Linux 4.1.6-1-arch, amd64
-- Netbeans 8.0.2
-- Maven 3.3.3
-
-
+- Java 1.8.0._151
+- Burp Suite 1.7.32
+- Ubuntu 16.04.3 LTS, amd64
+- Netbeans 8.2
+- Maven 3.3.9
diff --git a/pom.xml b/pom.xml
@@ -4,32 +4,32 @@
     <groupId>burp</groupId>
     <!-- formaly kown as BurpExtensionSSO -->
     <artifactId>EsPReSSO</artifactId>
-    <version>2.0.2</version>
+    <version>3.0</version>
     <packaging>jar</packaging>
     <inceptionYear>2015</inceptionYear>
     <dependencies>
         <!-- Burp Suite Extension API -->
         <dependency>
-            <groupId>com.h3xstream.retirejs</groupId>
-            <artifactId>burp-api</artifactId>
-            <version>1.0.0</version>
+            <groupId>net.portswigger.burp.extender</groupId>
+            <artifactId>burp-extender-api</artifactId>
+            <version>1.7.22</version>
         </dependency>
         <!-- Syntax Highlighting -->
         <dependency>
             <groupId>com.fifesoft</groupId>
             <artifactId>rsyntaxtextarea</artifactId>
-            <version>2.5.7</version>
+            <version>2.6.1</version>
         </dependency>
         <!-- JSON -->
         <dependency>
             <groupId>org.json</groupId>
             <artifactId>json</artifactId>
-            <version>20141113</version>
+            <version>20180130</version>
         </dependency>
         <dependency>
             <groupId>com.googlecode.json-simple</groupId>
             <artifactId>json-simple</artifactId>
-            <version>1.1</version>
+            <version>1.1.1</version>
         </dependency>
         <!-- Signature Faking Library -->
         <dependency>
@@ -41,26 +41,43 @@
             <groupId>wsattacker.library</groupId>
             <artifactId>Signature_Wrapping_Library</artifactId>
             <version>1.7</version>
-          </dependency>
+        </dependency>
         <dependency>
             <groupId>org.jdesktop</groupId>
             <artifactId>beansbinding</artifactId>
             <version>1.2.1</version>
         </dependency>
+        <!--CommonIO-->
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.6</version>
+        </dependency>
+        <dependency>
+            <artifactId>junit</artifactId>
+            <groupId>junit</groupId>
+            <version>4.12</version>
+        </dependency>
+        <!-- https://mvnrepository.com/artifact/com.beetstra.jutf7/jutf7 -->
+        <dependency>
+            <groupId>com.beetstra.jutf7</groupId>
+            <artifactId>jutf7</artifactId>
+            <version>1.0.0</version>
+        </dependency>
     </dependencies>
 
     <repositories>
         <!-- WS-Attacker Repository -->
         <repository>
-          <id>wsattacker-repos</id>
-          <name>wsattacker</name>
-          <url>https://repo.nds.rub.de/repository/wsattacker-repos/</url>
-          <releases>
-            <enabled>true</enabled>
-          </releases>
-          <snapshots>
-            <enabled>true</enabled>
-          </snapshots>
+            <id>wsattacker-repos</id>
+            <name>wsattacker</name>
+            <url>https://repo.nds.rub.de/repository/wsattacker-repos/</url>
+            <releases>
+                <enabled>true</enabled>
+            </releases>
+            <snapshots>
+                <enabled>true</enabled>
+            </snapshots>
         </repository>
     </repositories>
 
@@ -100,35 +117,35 @@
             <!-- include dependencies in jar -->
             <plugin>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
+                <version>3.7.0</version>
                 <configuration>
                     <source>1.8</source>
                     <target>1.8</target>
                     <descriptorRefs>
-                            <descriptorRef>jar-with-dependencies</descriptorRef>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
                     </descriptorRefs>
                 </configuration>
             </plugin>
             <plugin>
                 <artifactId>maven-assembly-plugin</artifactId>
-                <version>2.2</version>
+                <version>2.6</version>
                 <configuration>
                     <descriptorRefs>
-                            <descriptorRef>jar-with-dependencies</descriptorRef>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
                     </descriptorRefs>
                 </configuration>
                 <executions>
                     <execution>
                         <id>make-assembly</id>
                         <phase>package</phase>
                         <goals>
-                                <goal>single</goal>
+                            <goal>single</goal>
                         </goals>
                     </execution>
                 </executions>
             </plugin>
             <!-- include LaTeX doclet-->
-<!--            <plugin>
+            <!--            <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-javadoc-plugin</artifactId>
                 <version>2.9</version>

diff --git a/src/main/java/de/rub/nds/burp/espresso/editor/JSONEditor.java b/src/main/java/de/rub/nds/burp/espresso/editor/JSONEditor.java
@@ -99,7 +99,7 @@ public InputTab(IMessageEditorController controller, boolean editable) {
             burpEditor.setEditable(editable);
 
             // create a source code viewer
-            sourceViewer = new UISourceViewer();
+            sourceViewer = new UISourceViewer(callbacks);
             guiContainer.addTab("JSON Viewer", sourceViewer);
             guiContainer.addTab("Raw", burpEditor.getComponent());
         }

diff --git a/src/main/java/de/rub/nds/burp/espresso/editor/JWTEditor.java b/src/main/java/de/rub/nds/burp/espresso/editor/JWTEditor.java
@@ -103,9 +103,9 @@ public InputTab(IMessageEditorController controller, boolean editable) {
             txtInput.setEditable(editable);
 
             // create a source code viewer
-            sourceViewerHeader = new UISourceViewer();
-            sourceViewerPayload = new UISourceViewer();
-            sourceViewerSignature = new UISourceViewer();
+            sourceViewerHeader = new UISourceViewer(callbacks);
+            sourceViewerPayload = new UISourceViewer(callbacks);
+            sourceViewerSignature = new UISourceViewer(callbacks);
             editor.addTab("Header", sourceViewerHeader);
             editor.addTab("Payload", sourceViewerPayload);
             editor.addTab("Base64(Signature)", sourceViewerSignature);